Snort mailing list archives
Re: Snot attacks and -z est option - regarding FAQ 1.9
From: counter.spy () gmx de
Date: Mon, 1 Apr 2002 18:21:07 +0200 (MEST)
Hi Chris,
Another question: I have performed some testing with snot-0.92a attacks against snort
during
the last few weeks. The FAQ claims that snort is not vulnerable to such attacks, but I have found some problems with snort during these tests. Some of them are fixed
with
the 1.8.4 release but some are not.
What other problems besides your next one?
Those Short Header Problems that caused 1.8.4-beta4 to crash and which you have already fixed, remember? ;)
One of the problems that I think I also have read about on this list is
the
following: Snot uses random IP Numbers. Running Snot against a snorted machine over
a
longer period of time (I ran it overnight) without delays caused the
system to
reach it's limits for creating new files. This in return caused snort to terminate.
what logging mode?
mySQL and default logging to /var/log/snort/
Sounds like default which is so often misconfigured
Yep, we already discussed that. :)
I'm wholely tempted to axe it out of snort forever.
Good idea. I don't like the fashion of snort's default logging anyway, for exactly this reason. Well, I remember you telling me that in one of your replies to my mail where I addressed this problem. But I hadn't "-z established" enabled at this time.
Of course in a productive environment you will have reacted long before this happens, because such attacks are very noisy and unlikely to happen. But it could be used in order to hide the real attack within all the noise that snot generates, so some correlation is needed in order to eliminate those "false positives". Another issue is that I tried to reduce the alerts that were caused by
snot
by using the -z est option. That idea was based on my assumption that snot causes many fake connections, i.e. no real connections are established. This did not
help,
I still got most of the alerts.
Was stream4 enabled? What was your snort output? Were the alerts ICMP and UDP? Those don't have sessions that could be established.
I was using part of sandro's settings from "Snort-Setup for Statistics HOWTO": preprocessor frag2 preprocessor stream4: detect_scans detect_state_problems preprocessor stream4_reassemble: ports all preprocessor unidecode: 80 8080 3128 preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: 0.0.0.0/0 6 3 /var/log/snort/portscan.log preprocessor portscan-ignorehosts: $DNS_SERVERS
-z est makes it "harder" because they actually have to get an established stream.
As you possibly know, I am testing several IDSs just as part of my thesis and thus focus on very basic testing. My aim is to develop a concept on which technologies to use and how to deploy IDS within our corporate network. My time is very limited (3 months). I must admit, that I already have finished tests with snort and that the "-z established" was just a quick last check in order to see if it reduces alerts that were generated by snot. For this reason I ran snot with 100 packets for each test, using only 10 rules that were mixed TCP and UDP - 3 tests with and 3 without the "-z established" option. I didn't check each alert in detail, just the number of alerts, and I found this didn't vary much.
Of course the attacked system still had the possibility of resolving the correct source IP through ARP, because attacker and target are in the same network and so the target still gets the original MAC address and is able to reply to the snotmachine.
arp who-was? :-) Generating alerts isn't restricted to that and you could do DDOS zombies with bind.version queries and generate just as many alerts and they would be valid. --
So do agree with me that snot can be used for kind of DOSing snort, or at least the poor analyst who has to check all those alerts?
Chris Green <cmg () snort org> "I'm beginning to think that my router may be confused."
Thanks for your input. Sorry that I didn't have the time to go into more detailed analysis. Maybe I will do a proper test on this later, if I still have the time in the end. Greetings, D. Liesen -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snot attacks and -z est option - regarding FAQ 1.9 counter . spy (Apr 01)
- <Possible follow-ups>
- Re: Snot attacks and -z est option - regarding FAQ 1.9 counter . spy (Apr 01)
- Re: Snot attacks and -z est option - regarding FAQ 1.9 Chris Green (Apr 02)